lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <JBEEIFHMJEMDBGMNEHCOKEEOCAAA.mevanchik@relationship1.com>
From: mevanchik at relationship1.com (Michael Evanchik)
Subject: YEY AGAIN Automatic
	remotecompromiseofInternetExplorer Service Pack 2 XP SP2

Had a mistake in my code o well.  Works now

PoC: http://www.michaelevanchik.com/security/microsoft/ie/xss/index.html

http://www.michaelevanchik.com/security/microsoft/ie/xss/writehta.txt <--
avp's should add this



Here is some new adodb code AVP's should add.  No longer needed to connect
to external source.  Malicious recordset can be built locally.


www.michaelevanchik.com
  -----Original Message-----
  From: Michael Evanchik [mailto:mevanchik@...ationship1.com]
  Sent: Monday, December 27, 2004 11:57 AM
  To: Ron Jackson; full-disclosure@...ts.netsys.com
  Subject: RE: [Full-Disclosure] YEY AGAIN Automatic
remotecompromiseofInternetExplorer Service Pack 2 XP SP2


  works on around 30 people i know so far.  Some it doesnt,  You have to be
admin, also view the source code you have to have the local html file in
c:\windows\pchealth\helpctr\  ect   specified

  Another could have been used
    -----Original Message-----
    From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com]On Behalf Of Ron Jackson
    Sent: Sunday, December 26, 2004 11:14 AM
    To: full-disclosure@...ts.netsys.com
    Subject: RE: [Full-Disclosure] YEY AGAIN Automatic
remotecompromiseofInternetExplorer Service Pack 2 XP SP2


    Hmm,

       Popped up a help window with a few lines of text in it.but that was
it.  No files in startup.  Winxpsp2 fully patched, Sygate personal firewall,
Adaware SE professional.




----------------------------------------------------------------------------

    From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Michael
Evanchik
    Sent: Sunday, December 26, 2004 12:07 AM
    To: Aviv Raff; full-disclosure@...ts.netsys.com
    Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote
compromiseofInternetExplorer Service Pack 2 XP SP2



    try www.michaelevanchik.com/security/microsoft/ie/xss/index.html



    might be a little more reliable PoC



    1) new not known by AVP codes

    2) uses all start up menue languages

















      -----Original Message-----
      From: Michael Evanchik [mailto:mevanchik@...ationship1.com]
      Sent: Saturday, December 25, 2004 9:11 PM
      To: Aviv Raff; full-disclosure@...ts.netsys.com
      Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2

      Hi Aviv,



      Not sure what your issue is.  This has been tested on many people, and
it works on everyone.  Maybe its your pop up blocker?  Maybe its your AVP?



      This exploit is on Securityfocus and k-otik as they tested as well.
Http equiv verified before any post was made to FD.



      In either case we did not code around pop up blockers nor around known
virus strings.  This PoC is not for blackhats kiddies.



      Mike





      www.michaelevanchik.com



        -----Original Message-----
        From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com]On Behalf Of Aviv Raff
        Sent: Saturday, December 25, 2004 7:47 AM
        To: full-disclosure@...ts.netsys.com; 'Michael Evanchik'
        Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2

        Hi,



        Somehow the POC does not work on both of my WinXPSP2 pro boxes.

        Both are fully patched, but one is hardened and the other is after a
clean install.



        After running the POC, the IE opens the Help window, but then
freezes for a couple of minutes.

        After IE stops freezing, there is no Microsoft Office.hta on the
startup folder.



        And yes, I'm running this on an Administrator account.



        Can anyone else confirm this?



        -- Aviv Raff
        >From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the
'open source' zealots in the morning?".








------------------------------------------------------------------------

        From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Michael
Evanchik
        Sent: Friday, December 24, 2004 6:11 PM
        To: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com;
NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM; vuln@...nwatch.org
        Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2



        http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm





        Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise

        Dec, 21 2004

        Vulnerable
        ----------
        - Microsoft Internet Explorer 6.0
        - Microsoft Windows XP Pro SP2
        - Microsoft Windows XP Home SP2

        Not Tested
        ------------------------
        - Microsoft Windows 98
        - Microsoft Internet Explorer 5.x
        - Microsoft Windows 2003 Server



        Severity
        ---------
        Critical - Remote code execution, no user intervention

        Proof of Concept?
        ------------------
        - http://freehost07.websamba.com/greyhats/sp2rc.htm

        - If an error is shown, press OK. This is normal.

        - Notice in your startup menu a new file called Microsoft
Office.hta. When run, this file will download and launch a harmless
executable (which includes a pretty neat fire animation)







        Michael Evanchik

        Relationship1

        p: 914-921-4400

        f:  914-921-6007

        mailto:mevanchik@...ationship1.com

        web: http://www.relationship1.com






############################################################################
#########
              This Mail Was Scanned by 012.net Anti Virus Service - Powered
by TrendMicro Interscan



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041227/87f2c1c2/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ